A Lesson in Data Courtesy

The Feedback

There are many potential reasons for the level of non-compliance with the new privacy protocols by online data users. The privacy ordinance is still relatively recent ' it became effective in December 1996 ' and a certain level of 'foot dragging' is to be expected. Lau refers to the general resistance of the local business community to any perceived departure from the laissez-faire policies of successive Hong Kong governments. He has, perhaps predictably, had some negative feedback from companies complaining that the new privacy re- quirements add to the cost of doing business. He points out, however, that most of the new requirements are for measures which must already have been accounted for in companies' balance sheets ' such as ensuring personal data are secure and accurate. Only two of the new requirements can be said to incur genuinely additional costs ' the requirement to notify individuals if data collected for one purpose are used for another, and the requirement to give individuals access to personal data relating to them. Neither of these requirements involve massive expenditure and, in the latter case, the privacy ordinance allows companies to charge individuals who demand to see personal data for the access costs.

Having spent half of his working career in the private sector, Stephen Lau feels he is well qualified to promote good practice on information privacy to companies in the SAR. 'I believe one of the reasons I got this job is because I have experience in both the private and public sectors. The public sector tends to think in terms of the law, but the private sector wants a laissez-faire market. Since I have worked in the private sector I can talk to them on an equal basis.'

Lau's pitch in promoting the new privacy protocols is based on two strong arguments ' firstly they represent good information handling practice which will enhance companies' competitiveness, and secondly, without adequate privacy controls, the free flow of information from the SAR's trading partners could be in jeopardy.

Good Practice
The privacy ordinance is, of course, designed to enforce respect for the privacy of the individual. Dissenters have argued that the concept of privacy is in fact an import from the West and not a high priority in Hong Kong. Lau believes that it is irrelevant to label privacy as a 'Western' or 'non-Chinese' value since historically increasing affluence has always tended to lead to greater importance being attached to privacy.

'Of course in developing countries where the prime concern is basic human preservation privacy might be an insignificant concern, but we live in an affluent, progressive and evolving society where it is seen as increasingly important,' says Lau.

He adds that the importance of privacy to Hong Kong people is clear from the number of complaints the PCPD has received ' as at 7 December 1998, the PCPD had received 606 privacy complaints, which is double the number received in 1997. Moreover, the PCPD's annual survey, designed to assess popular attitudes towards privacy, found this year that privacy was ranked 7.6 out of 10 in importance, which was the same score given to hygiene and medical services.

This suggests that businesses in Hong Kong ' particularly those involved in services ' need to take seriously the importance people attach to preserving their privacy. 'The law is about respect for the privacy of the person,' says Lau, 'if you are given custody of personal data you should not use it for anything other than the purpose intended.'

He stresses that the data protection principles outlined in the privacy ordinance ' maintaining data accuracy, maintaining data security, issuing purpose statements on collection, allowing access ' are simply good information handling practices which, irrespective of the law, enable companies to show that they respect their customers and employees.

The Argument From Trade
'In Hong Kong our economic lifeblood is trade, if we did not have this [privacy ordinance] we would put ourselves at a competitive disadvantage.' Perhaps Lau's strongest argument in favour of strong privacy controls is based on the need to show the SAR's trading partners that it can be trusted as the custodian of personal data.

The European Union (EU) issued a directive which became effective in October 1998 prohibiting cross-border data flow to countries that do not have adequate data protection measures. For the EU 'adequate data protection measures' means data protection legislation which cuts across all activities and covers both the public and private sectors, and an independent body to enforce that legislation.

This directive has become something of a political football between the EU and the US, since the US favours a self-regulatory approach to privacy protection. There is therefore no generic privacy law in the US and privacy protocols for individual sectors ' telecom, direct marketing, medical, etc ' are supposed to be enforced by their relevant professional bodies.

Critics of this approach say that it is like hiring Dracula to look after a blood bank, and the EU has voiced concerns about adequate enforcement of privacy controls in the US. Stephen Lau expects this disagreement between the EU and US to emerge into litigation soon, perhaps in cases where multinational US companies operating in Europe want to transfer personal data back to the US.

The debate is also very much alive in Asia where, apart from Hong Kong and New Zealand, most countries do not comply with the EU definition of adequate data protection measures. Lau speculates that this will provide a strong incentive for China to consider data protection legislation. 'Personally I don't know of an organisation that could be regarded as my counterpart in China, but China should be, and must be, interested in this kind of regulation because of the trading issue with the EU.'

Lau believes that Hong Kong has adopted the best system to guarantee privacy protection ' the self-regulatory approach, he says, is too vulnerable to vested interests ' but there are ways in which Lau would like to see the current system improved. Principally, this would involve allowing the PCPD to award moderate financial compensation to victims in privacy disputes, to be paid by the privacy offenders, where the dispute does not warrant a resort to costly and time-consuming court procedure.

'This is on my wish list ' It would be nice to have some flexibility in awarding compensation. We are not thinking about huge amounts of money, but that would bridge the gulf between the criminal procedure and no compensation,' says Lau.

Another potential reform on Lau's wish list is the enactment of formal exemptions for people involved in the collection of personal data where strict compliance with the 'purpose statement' requirement would be unworkable. For example, social workers trying to establish trust with their charges.

Qi Lin

This article was published in "Company Secretary" (Jan 1999 Vol 9 No.1), the official publication of the Hong Kong Institute of Company Secretaries.